Keeping up with the World of Cloud Computing:
What Should Internal Audit be Thinking About?
Agenda
•
Introductions
Introductions
Jeff Spivack, Grant Thornton
• Partner and Practice Leader – Business Advisory Services, Greater Bay Area
• National Solution Group member for service organization matters relating to cloud computing
• Local leader for all Governance, Risk and Compliance services
• Over 25 years of consulting and industry experience in New York and Greater Bay area markets
Introductions
Keith Chin, Salesforce.com
• Internal Audit Manager, San Francisco • 12 Years internal audit experience
• External audit experience at Deloitte, primarily in the technology and banking industries
• License management and internal audit manager at Oracle
Introductions
Lisa Core, Salesforce.com
• Technology Audit & Compliance Program Manager • 3 years of experience in KPMG's IT Advisory Group • Organized and designed a full program of over 300 IT
controls at Salesforce.com
• Leads many technology related audits and assessments
• What is your experience with cloud computing?
• How does your company utilize cloud computing?
• What level of involvement did your Internal Audit
group have with your Company’s cloud computing
implementation?
• Has your company’s cloud environment been
audited?
Learning objectives –
Presentation focus
Today’s presentation
will focus
on the following:
•
Understanding primary
outsourced/hosted
cloud computing options,
industry trends, and benefits including observations from a market
leader
•
Methods for deciding if cloud computing fulfills the organization’s
business
needs
and
risk appetite
Agenda
• Introductions
•
Cloud computing overview
Cloud computing overview
Why the buzz?
Cloud computing is the future of IT
•
A
new
and
flexible
model for deploying
technology
•
Extremely
reliable
and infinitely
scalable
•
Cost
benefits
and
ease
of ownership
•
Allows you to
expand
or
contract
as business needs
dictate
• More than 300 CAEs surveyed responded that
– 77% are at least somewhat familiar with cloud computing
– 69% use cloud computing; many expect cloud computing
use to increase (45%) or stay the same (55%) in the next
12 months
• When asked to describe their view as to the security, governance,
risk and controls implications in moving to a cloud environment,
43% responded "I haven’t really given it much thought."
• 64% of respondents do not include cloud computing in their audit
plan
“ Looking past the current industry hype surrounding all things
Cloud, Forrester believes that
Cloud computing is a
sustainable, long-term IT paradigm
, and the
successor to
previous mainframe, client/server, and network
computing eras
.”
- Forrester Research, Inc.
“The Evolution of Cloud Computing Markets”
Cloud computing overview
“The cloud is about immediacy, elasticity,
and utility economics”
Mark Shuttleworth, Ubuntu & Canonical
“The cloud is water vapor”
Larry Ellison, Oracle
Cloud computing overview
#1 Infrastructure
• Data Center •Processor • Memory • Storage
• Virtualized & Dynamic • Redundant
Cloud computing overview
Infrastructure #2 Platform • Operating System • Web Servers • Database Servers • Operational Services • Virtualized
Cloud computing overview
Infrastructure #3 Application • Google Apps • Salesforce • Mobile Me Platform
Cloud computing overview
Cloud computing overview
Types and models
Types of Clouds
• Public
- Shared computer
resources provided by an off-site third-party provider
• Private
- Dedicated computer
resources provided by an off-site third party or use of cloud technologies on a private internal network
• Hybrid
- Consisting of multiple
public and private clouds
Models of Cloud:
• Software as a Service
(SaaS) - Software applications deliveredover the Internet
• Platform as a Service
(PaaS) - Full or partial operatingsystem/development environment delivered over the Internet
• Infrastructure as a Service
(IaaS)
Cloud computing overview
• Software as a Service (SaaS)
– The consumer does not manage or control the underlying cloud
infrastructure, network, servers, operating systems, storage, or even individual application capabilities, with the possible exception of limited user-specific application configuration settings.
• Platform as a Service (PaaS)
– Consumer has control over the deployed applications and possibly application hosting environment configurations.
• Infrastructure as a Service (IaaS)
– Consumer has control over operating systems, storage, deployed applications, and possibly select networking components (e.g., firewalls, load balancers).
Agenda
• Introductions
• Cloud computing overview
•
Risks and audit strategies
"A
widespread failure
in Amazon.com’s Web services business
affected many Internet sites, highlighting the risks involved when
companies rely on so-called cloud computing.
The problems affected sites including Quora.com, Reddit.com,
GroupMe.com and Scvngr.com, which all posted messages to their
visitors about the issue.
Most of the sites have been inaccessible
for hours
, and others were only partly operational…"
- NYTimes.com
April 21, 2011
Risks and audit strategies
"A
data breach
at one of the
world's largest providers
of
marketing email services may have enabled unauthorized people
to access the
names and email addresses for customers
of
major financial-services, retailing and other companies."
- WSJ.com
April 4, 2011
• What are the physical components of the “Clouds”?
– Data Centers – self-hosted, third-party, both, etc.?
– Network circuits and firewalls – who’s managing, who’s watching, etc.?
– Disaster preparedness and recoverability – is there a plan, is it tested, etc.? – Who is aware of and managing vendor SLAs and are they adequate?
• Where’s the data and how is it protected?
– In-flight, standing still/at-rest, etc.? – Archives and back-up?
– Unintended uses?
– Data privacy and compliance? • What is the tone at the top?
– Stakeholder knowledge of attributes and risks – Have internal controls evolved effectively?
• When outsourcing parts of their business (including cloud computing),
companies are still responsible for the data, processing and/or
services provided by the outsourcing company (service organization).
• As a result, many companies (and their auditors) desire or require
their service organizations to obtain an independent assessment of
their security, availability, processing integrity, confidentiality and
privacy practices.
Risks and audit strategies
• SSAE No. 16, Reporting on Controls at a Service Organization, superseded SAS 70 on June 15, 2011.
• There are several reporting options for service auditors examining controls at service organizations. Financial Reporting Risks Nonfinancial Reporting Risks SOC 1 SOC 2 SOC 3 With testing details "Pass" with a seal display SSAE 16
Risks and audit strategies
Risks and audit strategies
Six additional risk areas
Risks and audit strategies
1. Security - risks
• The cloud provider’s security policies are not as strong as the Company’s data security
requirements
• Cloud systems which store Company data are not updated or patched when necessary
• Security vulnerability assessments or
penetration tests are not performed to ensure logical and physical security controls are in place
Risks and audit strategies
1. Security – audit strategy
• Determine if the cloud provider meets or exceeds the Company’s security
requirements
• Determine if the cloud provider’s security
posture is based on a security standard (i.e., ISO27001, Cloud Security Alliance, PCI DSS, etc.)
• Determine if the cloud provider has a security assessment performed
• Determine if the cloud provider’s Service Organization Report (i.e., SSAE 16, SOC
Risks and audit strategies
2. Multi-tenancy – risks
• Company data is not appropriately
segregated on shared hardware resulting in Company data being inappropriately accessed by third parties
• The cloud service provider has not deployed appropriate levels of encryption to ensure data is appropriately segregated both in rest and transit
• The cloud service provider cannot determine the specific location of the Company’s data on its systems
• Company data resides on shared server space which might conflict with regulatory
Risks and audit strategies
2. Multi-tenancy – audit strategy
• Inquire of the cloud service provider’s method used to secure the Company’s data from being accessed by other customers/third parties
• Review the cloud service provider’s SLA to
determine if the SLA addresses security of the Company’s data
• Review independent audit report(s) related to the Cloud provider’s security posture (i.e.,
Risks and audit strategies
3. Data location – risks
• The Company is
not aware
of all of the
cloud service provider’s
physical
location(s)
• The Company
does not know
where their
data is
physically or virtually stored
• The Cloud service provider
moves
company data
to another location
without informing the Company
Risks and audit strategies
3. Data location – audit strategy
• Inquire of the cloud provider the specific physical and virtual location of the Company’s data
• Work with the Company’s legal group to fully understand the impact and potential risks of the Company’s data residing in a foreign country
Risks and audit strategies
4. Reliability – risks
• The cloud service provider has quality of
service standards which conflict with business requirements
• During peak system activity times, the cloud service provider experiences system
performance issues that result in the following:
- Company employees cannot access the Company’s data when needed
- Customers are unable to use the
Risks and audit strategies
4. Reliability – audit strategy
• Inquire of the cloud service provider to determine the controls in place to ensure the reliability of the cloud solution
• Obtain an SLA/contract from the cloud service provider which details the specific reliability agreement for the Company. Compare this information to actual performance
Risks and audit strategies
5. Sustainability – risks
• In the event the cloud service provider goes out of business, the Company might not be able to
retrieve the Company’s data. In addition,
another third party might gain access/control of the Company’s data
• The cloud service provider does not have appropriate system recovery procedures in place in the event of a disaster
• The Company’s business continuity plan does not address the cloud’s service offering being unavailable
Risks and audit strategies
5. Sustainability – audit strategy
• Inquire of the cloud service provider to determine if they have adequate controls in place to recover and protect the Company’s data even in the event of a disaster
• Review the Company’s business continuity plan and determine if the plan addresses
interruptions with the cloud solution
• Inquire of the cloud service provider to
Risks and audit strategies
6. Scalability – risks
• The cloud service provider’s systems cannot scale to meet the Company’s anticipated growth, both for a short-term spike and/or to meet a long-term strategy
• If the Company decides to migrate all or part of the Company’s system and/or data back in-house (or to another provider), the cloud
Risks and audit strategies
6. Scalability – audit strategy
• Determine if the cloud provider’s system can scale to meet the Company’s expected short-term
spikes and/or growth over the next five years • Determine if the Company has a contingency
plan in the event the cloud provider’s systems cannot scale to meet the Company’s needs
• Determine who is the “owner” of the Company’s data
• Determine if the cloud provider would allow the Company to move data back in house and/or to another provider. Determine the specific
Risks and audit strategies
Case study
• An energy solutions company is a leading provider of energy solutions with annual revenues in excess of $850 million for a payroll size of 400 employees
• Decision made by Senior Management to
outsource their payroll system to a SaaS vendor cloud solution to allow for increased efficiency and cost savings
• Internal Audit identified payroll as a high-risk area since this was the Company’s first use of a cloud computing solution
Risks and audit strategies
Case study (cont'd)
• Company's Internal Audit department reviewed the cloud provider's Service
Organization Report and did not note any exceptions
• Internal Audit also used existing user-ids to perform limited audit procedures and
discovered they had access to view and edit another company's payroll information
• The Company discussed the findings with the cloud provider and determined the error
